You can define the interceptor class method that you want to use. WebSphere® Application Server supports two trust association interceptor interfaces: com.ibm.wsspi.security.TrustAssociationInterceptor and com.ibm.wsspi.security.tai.TrustAssociationInterceptor.
The isTargetInterceptor method determines whether the request originated with the proxy server associated with the interceptor. The implementation code must examine the incoming request object and determine if the proxy server forwarding the request is a valid proxy server for this interceptor. The result of this method determines whether the interceptor processes the request or not.
The validateEstablishedTrust method determines if the proxy server from which the request originated is trusted or not. This method is called after the isTargetInterceptor method. The implementation code must authenticate the proxy server. The authentication mechanism is proxy-server specific. For example, in the product implementation for the WebSEAL server, this method retrieves the basic authentication information from the HTTP header and validates the information against the user registry used by WebSphere Application Server. If the credentials are invalid, the code creates the WebTrustAssociationException, indicating that the proxy server is not trusted and the request is to be denied.
The getAuthenticatedUsername method is called after trust is established between the proxy server and WebSphere Application Server. The product has accepted the proxy server authentication of the request and must now authorize the request. To authorize the request, the name of the original requestor must be subjected to an authorization policy to determine if the requestor has the necessary privilege. The implementation code for this method must extract the user name from the HTTP request header and determine if that user is entitled to the requested resource. For example, in the product implementation for the WebSEAL server, the method looks for an iv-user attribute in the HTTP request header and extracts the user ID associated with it for authorization.
Applicability of the following list
******************************************************************** import java.util.*; import javax.servlet.http.HttpServletRequest; import com.ibm.websphere.security.*; public class myTAIImpl extends WebSphereBaseTrustAssociationInterceptor implements TrustAssociationInterceptor { public myTAIImpl () { } public boolean isTargetInterceptor (HttpServletRequest req) throws WebTrustAssociationException { //return true if this is the target interceptor, else return false. } public TAIResult negotiateValidateandEstablishTrust (HttpServletRequest req, HttpServletResponse res) throws WebTrustAssociationFailedException { //validate the request and establish trust. //create and return the TAIResult public int initialize (Properties props) { //initialize the implementation. If successful return 0, else return 1. } public String getVersion() { //Return version } public String getType() { //Return type } public void cleanup () { //Cleanup code. } }
// Default implementation of init(Properties props) method. A Custom // implementation should override this. public int init (java.util.Properties props) { String type = props.getProperty("com.ibm.wsspi.security.trustassociation.types"); String classfile= props.getProperty("com.ibm.wsspi.security.trustassociation." +type+".config"); if (classfile != null && classfile.length() > 0 ) { return init(classfile); } else { return -1; } }
Change your implementation to implement the init(Properties) method instead of relying on init(String propsfile) method. As shown in the previous example, this default implementation reads the properties to load the property file. The com.ibm.wsspi.security.trustassociation.types property gets the file containing the properties by concatenating .config to its value.
com.ibm.wsspi.security.trustassociation.initPropsFile= app_server_root/properties/myTAI.properties
com.ibm.wsspi.security.trustassociation.initPropsFile= app_server_root/myTAI.properties
Type the previous code as one continuous line.
The location of the properties file is fully qualified (for example, app_server_root/properties/myTAI.properties). Because the location can be different in a WebSphere Application Server, Network Deployment environment, use variables such as ${USER_INSTALL_ROOT} to refer to the WebSphere Application Server installation directory. For example, if the file name is called myTAI.properties and it is located in the app_server_root/properties directory, then set the following properties:
You must copy this class file to the profile_root/classes directory of each node and cell.
In this information ...Related tasks
Related reference
| IBM Redbooks, demos, education, and more(Index) Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience. This feature requires Internet access. Most of the following links will take you to information that is not part of the formal product documentation and is provided "as is." Some of these links go to non-IBM Web sites and are provided for your convenience only and do not in any manner serve as an endorsement by IBM of those Web sites, the material thereon, or the owner thereof. |